Security and resilience - regulatory requirement in offshore wind

In 2022, shortly before Russia’s invasion of Ukraine, 5,800 wind turbines across Europe were affected by a large-scale cyberattack. The year before, a major Danish turbine manufacturer made public an extensive cybersecurity incident, which resulted in IT systems shut down across multiple business units and locations. The attackers subsequently leaked the stolen data and offered it to third parties.

At the same time, sabotage-like incidents targeting subsea cables in the Baltic Sea have highlighted the vulnerability of critical offshore energy infrastructure that is located offshore.

In a report published by the Danish Defence Intelligence Service in December 2025, the agency states that “Russia in particular, but also other foreign states, pose a significant threat to critical infrastructure in the West.” This is also reflected in the Danish Intelligence Service’s assessment of the cybersecurity threat level as very high – the highest level.

In addition to the specific incidents, a range of recurring security challenges have emerged in relation to inter alia offshore wind. These include for example vulnerabilities in operational technology (OT) and control systems that were historically designed without modern security-by-design principles, legacy wind farms and communication system that lack the necessary resilience, and psychical security shortcomings such as poor quality of locks applied at wind farm cabinets.
 
The evolving threat landscape and complex operational challenges in offshore wind require organisations to adopt a new security mindset and integrate it throughout their governance, planning and processes to achieve a high level of resilience.

Security as a legal obligation in offshore wind

At present, there are 17 offshore wind farms in Denmark, comprising 666 turbines with a total capacity of approximately 2.7 GW of installed capacity. Additionally, a further 1 GW is under construction, and an important pipeline of large-scale projects involving cross-border interconnectors has just been agreed.

The scale, complexity and integration of offshore wind make it a cornerstone of the European energy system, where disruptions - physical or cyber - may have serious and far-reaching consequences not only for the security of energy supply, but also for the economic performance of operators and interconnected markets.

These risks have been recognised at EU level, prompting a significant strengthening of regulatory preparedness. In response, Europe has established binding legal obligations for member states to ensure resilience and preparedness. As a result, security in the Danish energy sector is now a mandatory requirement under national regulation.

Sector-specific regulation in the Danish energy sector

In Denmark the sector-specific Act on Strengthened Preparedness in the Energy Sector has been adopted, implementing requirements from both NIS2 (Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union) and CER (Directive (EU) 2022/2557 on the resilience of critical entities) through rules on organisational preparedness, physical protection, and cybersecurity. The Act provides that - among many others - electricity undertakings and producers, fall within its scope of application.

Pursuant to the Act, an executive order on Resilience and Preparedness in the Energy Sector, has been adopted specifying the requirements laid down in the Act and how entities are covered by its rules. It is expressly provided that the entities’ production facilities, including facilities with offshore wind turbines, are covered.

Furthermore, the executive order classifies entities and their production facilities into levels and classes ranging from 1 to 5, where 5 is the highest. In the electricity sector, the level and class categorisations are primarily based on the production capacity of electricity producers and generating facilities. The higher the level and class, the more requirements apply to the entity and its facility. For example, entities at levels 3-5 must conduct preparedness drills at least once a year based on their own preparedness plans.

This classification model ensures that entities and facilities of greater societal importance are subject to stricter rules.

Supply chain security in the offshore wind sector

The regulation is not confined to internal measures within the entity and its production facilities but also addresses supply chain security vis-à-vis the entity’s suppliers. 

Offshore wind involves complex supply chains with infrastructure, hardware, software, service providers and remote access by third parties. 

Under the executive order covered entities must be able to identify, assess and manage risks specific to each direct supplier and service provider. They must also have methods in place for assessing the resilience of supplied products.

In this regard, the executive order provides that requirements relating to organisational preparedness, physical protection, and cybersecurity must be reflected in supplier agreements. Suppliers must therefore be able to comply with such contractual requirements and failure to do so may have contractual consequences. 

At EU level, further clarification is also underway regarding supply chain requirements. The aim is to ensure legal certainty and prevent disproportionate obligations being imposed on entities not themselves within scope of the rules.  

In other words, the obligations applicable to entities in the energy sector will flow down the supply chain and indirectly impose requirements on suppliers as well. In practice, this mechanism extends the regulatory perimeter beyond formally covered entities, creating indirect but binding security obligations for actors throughout the supply chain.

Practical challenges for covered entities

Entities subject to the energy-sector rules face a number of practical and strategic challenges in meeting their obligations. 

First, the sheer scope and complexity of the regulatory framework - integrating NIS2 and CER into a sector-specific regime - means that many organisations must build or enhance governance, documentation and reporting capabilities from scratch rather than relying on legacy processes.

Second, many energy operators must balance old and new technology environments. OT systems such as SCADA and turbine control infrastructure were often designed without modern cybersecurity protections.

Third, supply chain complexity creates challenges for risk management. With large numbers of third-party hardware, software and service providers, ensuring consistent security standards across the network of suppliers is resource-intensive and requires continuous oversight.

Finally, many organisations struggle with resource constraints and internal competencies, particularly when new compliance obligations demand specialised skills in cybersecurity.

Management responsibility

Under the new regulatory regime, security is not merely a technical or operational matter - it is a top management responsibility.

The management body is responsible for approving and overseeing the entities’ risk management and preparedness.

This is not a one-off exercise, but a continuous process that requires the management body to approve the security measures adopted by the entity and to oversee their ongoing implementation. In addition, members of the management body must also continuously participate in relevant training or educational programmes concerning organisational preparedness, physical security, and cybersecurity.

Furthermore, boards and executive management can’t delegate cybersecurity and physical resilience solely to IT or operational teams. As such, accountability rests at the highest level of the organisation, and failures may carry regulatory, reputational and contractual consequences.

Proportionate and risk-based implementation

Implementation of the measures requires a risk-based approach.

For many offshore wind operators, recognised standards can serve as practical implementation tools. Frameworks such as ISO 27001 for information security management, and IEC 62443 for industrial control systems, which are both relevant and risk-based, can be used as guidelines. However, adherence to such standards does not automatically imply compliance with regulatory requirement which must be given specific attention through e.g. gap-analysis and legal compliance analysis and documentation. 

At the same time, although guidelines obviously aim to provide guidance, historically guidelines often also add more - or at least another kind of - complexity. Further the Commission (assisted by ENISA) has previously proved themselves willing to publish quite extensive guidelines etc., including guidelines (and soft obligations) that has been well above what many entities had analyzed as appropriate security measures within the risk-based approach at entity level.

In a Danish context, guidance issued by the authorities - including NIS2 guidance from The Danish Resilience Agency (SAMSIK) - may help translate legal obligations into operational measures.

Navigating a complex framework

The Danish regime makes security a structural requirement affecting project design, procurement, IT/OT architecture and supply chains, requiring organisations to integrate preparedness considerations into operational and governance processes.

Meeting Denmark’s preparedness requirements in the energy sector involves navigating a complex framework of rules that touch on risk assessment, governance, supply chain security and ongoing compliance, and that demand both technical implementation and legal clarity as regulatory expectations evolve and oversight increases.

However, in an environment where regulatory scrutiny and threat levels continue to increase, security in offshore wind is not only a legal obligation - but a strategic strength.